How to use both FileVault2 and Bitlocker simultaneously on a dual-boot Mac running bootcamp
I am the proud owner of a beautifully noisy drive.
A noisy drive?!?!?!!!! Get your data off that before it dies!!!
Oh, did you get a HDD stepper to play music??
That fine, if you don’t want to tell me I’ll go to another blog
Ok, Ok. This post is about something I have been wanting for ages and didn’t think was possible. This shows how to use both FileVault 2 and Bitlocker simultaneously on a multi-boot mac (running bootcamp). The noise I’m referring to is the pseudorandom noise of an encrypted drive (FDE) :D
What’s so special about that? Is this not an easy thing to do?
No, generally it is not possible to do this due to some good design choices both Apple and Microsoft (and other encryption providers) have employed mixed with a silly one that Apple have made.
The Microsoft and Apple boot providers require a boot loader to remain on an unencrypted volume which then provides an mechanism to access the protected , encrypted, partition. So to use FDE on either of these Operating Systems you need 2 primary partitions. Legacy partition tables use MBR to describe the layout of the partition scheme. This partition scheme has a limit of 4 primary partitions.
Can we not just use those four primary partitions?
Nope as the Mac has a recovery partition that you need to keep intact so there there are 3 primary partitions available. This means that typically only on of these operating system can enjoy FDE (and I’m not using containers in a OS, that’s too leaky…).
Are we going to time travel and change some specs???
Nope, luckily for us the Mac uses 2 partition tables. One is GPT and the other is MBR.
The MBR partition is used to boot the Mac encrypted boot loader which in turn provides access to the encrypted Mac partition from the GPT table.
When loading the Windows/Bootcamp parition the MBR is used to determine the availability of the windows encrypted boot loader which in turn uses the MBR to access the encrypted windows partition.
This means for a dual boot fully encrypted system we only need 3 partitions listed in the MBR. Normally the MBR partition is just a clone of the GPT one which is where the problem lies.
Happily we can use some ancient tools to edit these manually and allow dual boot of fully encrypted operating systems, while keeping our beloved restore partition.
The process is as follows:
<disclaimer: this guide is provided as is, and has no warranty. If you suffer data-loss, damage etc then this is your responsibility so be a mature person and accept that>
Partition the disk using the Disk utility in OS X
Reduce the size of the OS X partition to make room for windows, here I am giving OS X 98GB
Then create 2 new partitions:
- One for the windows partition
- One for the Bitlocker boot loader (around a 200 MB – 1gb)
Enable Filevault and Reboot
Go to System Preferences > Security & Privacy > [Filevault] and turn it on. Remember to responsibly store your recovery key, mine is on an encrypted backup…. not stored with Apple.
Then reboot to enable/verify the encryption.
Get a list of partition parameters from the GPT partition table
Open the terminal and run the following command to get the details of the GPT table.
1: sudo gpt -rv show -l disk0
Take note of the start point, size and type of partition.
Erase and recreate the MBR table, including only the windows partitions and the Mac encrypted loader partition
The windows partitions and mac encrypted loader are the items at indexes 1, 4 and 5. On your system this may differ but index 1 should remain the same.
Go to a terminal and open fdisk in edit mode
1: sudo fdisk -e /dev/disk0
Erase the MBR table
Add a new table and then a new entry for the mac bootloader
1: add 1
Edit this partition to match the OS X encrypted loader partition, the details are from index 1 above but should be identical to this (as of OS X 10.9 in a standard scenario)
1: edit 1
2: Partition id : EE
3: CHS mode : no
4: Partition offset: 1
5: Partition size: 409600
Then add the first windows partition, I got the offset and size from index 4 above – this will be different on your systems so pay attention to YOUR start and size parameters and ensure its the the correct windows partition.
1: edit 2
2: Partition id : 07
3: CHS mode : no
4: Partition offset: 193085424
5: Partition size: 296059568
Now add the second windows partition, I got the offset and size from index 5 above – this will be different on your systems so pay attention to YOUR start and size parameters and ensure its the the correct windows partition.
1: edit 3
2: Partition id : 07
3: CHS mode : no
4: Partition offset: 489407136
5: Partition size: 827576
Then write the MBR table using the command
When you issue the print command a table similar to the following will be displayed (the exact details will be different as appropriate for your disk layout)
Now that the tough stuff is done we only need to install windows, pop in a windows install disk and do the following.
Open the group policy editor by running gpedit.msc
In the group policy editor open:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
Then open the entry for Require additional authentication at startup
This will bring up an editor for this policy where you can enable the option by clicking the Enabled radio button and then on the options panel click the Allow BitLocker without a compatible TPM checkbox.
Enjoy your dual-boot, encrypted work-capable machine :)